CVE-2022-0125: 
GitLab vulnerability analysis and mitigation

An issue was discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project (GitLab Security, CVE Details).

The vulnerability stems from a lack of proper access control validation in the API endpoint for importing project members. While the GitLab UI enforced proper access controls, the API endpoint /projects/:id/importprojectmembers/:project_id did not validate whether the requesting user had maintainer access to the target project. This allowed users to bypass intended access restrictions. The issue has been assigned a CVSS score indicating medium severity (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3) (GitLab Security).

The vulnerability allowed users to import members from any project they could view (including public projects and private projects where they had Guest access or higher), even without having maintainer permissions on the target project. This bypassed GitLab's intended security model where importing members should be restricted to users who are maintainers on both the source and target projects (GitLab Security).

The vulnerability has been fixed in GitLab versions 14.6.2, 14.5.3, and 14.4.5. Users are strongly recommended to upgrade to one of these versions immediately. The fix implements proper access control validation in the API endpoint to match the security controls present in the UI (GitLab Security).